{"id":237884,"date":"2022-02-25T04:57:00","date_gmt":"2022-02-25T09:57:00","guid":{"rendered":"https:\/\/wordpress-756359-3782526.cloudwaysapps.com\/?p=237884"},"modified":"2025-05-30T07:29:14","modified_gmt":"2025-05-30T07:29:14","slug":"2022-02-25-toggle","status":"publish","type":"post","link":"https:\/\/www.travis-ci.com\/blog\/2022-02-25-toggle\/","title":{"rendered":"Repository settings for sharing encrypted variables and SSH keys (Git Forks)"},"content":{"rendered":"\n<p>It\u2019s a given that collaboration happens at multiple levels when building software in Git repositories. One popular way of collaborating is to \u2018fork\u2019 an original repository and execute a \u2018pull request\u2019 (PR) against the original (i.e., \u2018base\u2019) repository. Employing a CI\/CD tool in this scenario usually takes place as an automated check to see whether the changes proposed in the pull request from the fork will break anything in the base. However, for this to work, the base repository must often share some secret data with the fork, which a malicious actor could abuse.<\/p>\n\n\n\n<p>Some teams wish to accept the risks and share these secrets, while some do not. Regardless of what is the best decision for your organization, we believe you deserve a choice. This is why we are excited to introduce new repository-level settings in Travis CI that allow repository owners and administrators to explicitly make this choice.<\/p>\n\n\n\n<p>For all repositories activated in Travis CI before March 1, 2022, the default repository-level settings will be as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.travis-ci.com\/user\/encryption-keys\/\">Encrypted Data<\/a>&nbsp;\u2013 Encrypted environment variables sharing with repository forks set to OFF (please verify whether or not this suits your security preferences, particularly for public repositories.)<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.travis-ci.com\/user\/private-dependencies\/\">Custom SSH Keys<\/a>&nbsp;\u2013 Custom SSH key (which may be present in private repositories) sharing set to ON, which is done to help ensure build setups do not break that are set up to use forks from private repositories.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>All repositories activated in Travis CI after March 1, 2022, will have both settings set to OFF by default \u2013 after this change, organizations that wish to enhance collaboration by working with \u2018forks\u2019 by sharing some of the \u2018base\u2019 secrets or SSH keys will be required to explicitly enable these settings at the repository level in Travis CI. This will allow teams to change repository access for fork settings to fit their specific needs. See figures 1 and 2 below that show these settings:<br>All repositories activated in Travis CI after March 1, 2022, will have both settings set to OFF by default \u2013 after this change, organizations that wish to enhance collaboration by working with \u2018forks\u2019 by sharing some of the \u2018base\u2019 secrets or SSH keys will be required to explicitly enable these settings at the repository level in Travis CI. This will allow teams to change repository access for fork settings to fit their specific needs. See figures 1 and 2 below that show these settings:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"797\" height=\"396\" src=\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233465-517c3f01-0ff4-4353-aa2c-d83644c68267-1.png\" alt=\"\" class=\"wp-image-240018\" srcset=\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233465-517c3f01-0ff4-4353-aa2c-d83644c68267-1.png 797w, https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233465-517c3f01-0ff4-4353-aa2c-d83644c68267-1-300x149.png 300w, https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233465-517c3f01-0ff4-4353-aa2c-d83644c68267-1-768x382.png 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/figure>\n\n\n\n<p><em>Fig. 1 Public repository settings in https:\/\/app.travis-ci.com<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"442\" src=\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233569-58226009-70df-46fa-983e-e9297297b535-1.png\" alt=\"\" class=\"wp-image-240020\" srcset=\"https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233569-58226009-70df-46fa-983e-e9297297b535-1.png 790w, https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233569-58226009-70df-46fa-983e-e9297297b535-1-300x168.png 300w, https:\/\/www.travis-ci.com\/wp-content\/uploads\/2024\/06\/156233569-58226009-70df-46fa-983e-e9297297b535-1-768x430.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/figure>\n\n\n\n<p><em>Fig. 2 Private repository settings in https:\/\/app.travis-ci.com<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"whom-does-this-change-affect\">Whom does this change affect?<\/h2>\n\n\n\n<p>If you have repositories activated in&nbsp;<a href=\"https:\/\/app.travis-ci.com\/\">travis-ci.com<\/a>&nbsp;before March 1, 2022, and are working with pull requests from forks, then no changes are necessarily required. However, you may still adjust repository settings whenever you wish. Please be aware of the potential risks to public repositories if you choose to enable this setting. After March 1, 2022, if you wish to share encrypted secrets and\/or SSH keys with forks in order to have pull requests from forks of a repository built as a part of your CI\/CD procedures, you will need to adjust the repository-level settings. If you work with pull requests filed from branches of the repository instead of from forks, this change does not affect you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"products-affected\">Products affected<\/h2>\n\n\n\n<p>The change is going to be released to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.travis-ci.com\/\">Travis CI Hosted Solution (travis-ci.com)<\/a>.<\/li>\n\n\n\n<li>Travis CI Enterprise 3 (an on-prem version of Travis CI).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"further-reading\">Further Reading<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.travis-ci.com\/user\/encryption-keys\/\">Encryption keys<\/a>&nbsp;in public Travis CI documentation.<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.travis-ci.com\/user\/private-dependencies\/\">Private dependencies<\/a>&nbsp;in public Travis CI documentation, particularly Custom SSH Key section.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"special-thanks\">Special thanks<\/h2>\n\n\n\n<p>The Travis team would like to use this occasion to say \u201cThank you!\u201d to all the researchers and engineers contributing with their reports to enhance security here at Travis CI!<\/p>\n\n\n\n<p>As always, if you have any questions, please email&nbsp;<a href=\"mailto:support@travis-ci.com\">support@travis-ci.com<\/a>&nbsp;for help.<\/p>\n\n\n\n<p>Happy building!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s a given that collaboration happens at multiple levels when building software in Git repositories. One popular way of collaborating is to \u2018fork\u2019 an original repository and execute a \u2018pull request\u2019 (PR) against the original (i.e., \u2018base\u2019) repository. Employing a CI\/CD tool in this scenario usually takes place as an automated check to see whether [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_breakdance_hide_in_design_set":false,"_breakdance_tags":"","footnotes":""},"categories":[16],"tags":[7,19,20,5],"class_list":["post-237884","post","type-post","status-publish","format-standard","hentry","category-news","tag-community","tag-feature","tag-infrastructure","tag-news"],"_links":{"self":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/237884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/comments?post=237884"}],"version-history":[{"count":1,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/237884\/revisions"}],"predecessor-version":[{"id":240021,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/posts\/237884\/revisions\/240021"}],"wp:attachment":[{"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/media?parent=237884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/categories?post=237884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.travis-ci.com\/wp-json\/wp\/v2\/tags?post=237884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}